DescriptionAlexey Tikhonov
2021-01-25 14:26:32 UTC
(this is to complement bz 871208)
When IPA allows to add AD users and groups directly to sudo rules (FreeIPA 4.9.1 or later), external groups will already have '%' prefix. Thus, we don't need to add additional '%'.
```
# ipa sudorule-show testrule --all --raw
dn: ipaUniqueID=aa6aba2c-5f0d-11eb-9874-fa163e2c6cfa,cn=sudorules,cn=sudo,dc=ipa,dc=test
cn: testrule
ipaenabledflag: TRUE
hostcategory: all
externaluser: administrator
ipasudorunasextusergroup: %domain admins
ipaUniqueID: aa6aba2c-5f0d-11eb-9874-fa163e2c6cfa
memberallowcmd: ipaUniqueID=6c5477ec-5bd3-11eb-98ec-fa163e2c6cfa,cn=sudocmds,cn=sudo,dc=ipa,dc=test
objectClass: ipaassociation
objectClass: ipasudorule
# ldbsearch -H /var/lib/sss/db/cache_ipa.test.ldb 'cn=testrule'
asq: Unable to register control with rootdse!
# record 1
dn: name=testrule,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb
cn: testrule
dataExpireTimestamp: 1611580019
name: testrule
objectClass: sudoRule
originalMemberCommand: ipaUniqueID=6c5477ec-5bd3-11eb-98ec-fa163e2c6cfa,cn=sud
ocmds,cn=sudo,dc=ipa,dc=test
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: %%domain admins
sudoUser: administrator
distinguishedName: name=testrule,cn=sudorules,cn=custom,cn=ipa.test,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
```
Pushed PR: https://github.com/SSSD/sssd/pull/5476
* `master`
* cd48ef5071741443e3b84e100a4d4d28e3578e4f - sudo runas: do not add '%' to external groups in IPA
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:1666